THE BLOG

Why Business Must Understand the Threat of the Internet of Things

18/11/2015 09:57 GMT | Updated 17/11/2016 10:12 GMT

The potential of the Internet of Things (IoT) is jaw dropping. Its value to industry could be worth $11.1trillion a year globally and it will revolutionise the places in which we work and live.

The IoT is the network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. Basically, it means that an air conditioning unit can now be connected to the Internet.

However this exciting potential does come with risk; internet facing devices present a host of new dangers.

It is estimated that the business-to-business value for the IoT is $5trillion, with a huge amount of this linked to corporate real estate. Clearly, this marks a significant development for businesses and their workplaces. The IoT will herald data-driven scheduling, operational efficiencies and a reduction in manpower costs. However, whilst long discussed, the security threat of the IoT is now only starting to be more fully appreciated.

Growing threat

We have seen 'Stuxnet' used to create physical damage through cyber-attack and 'creepware' developed which uses internet-connected webcams to spy on people. Meanwhile 'ransomware', which forces users to pay money before accessing their usual systems, has been installed on IoT devices by hackers. The discovery of a computer virus that specifically attacks IoT devices designed for Linux operating systems is particularly worrying.

Overall, the greatest concern is the remote attack of future building management systems, Industrial Control Systems and Supervisory Control and Data Acquisition networks. All of these will be regular components of the future IoT real estate portfolio.

The automotive industry recently provided the best example of the IoT's risks. This year saw Jeep and Chrysler vehicles hacked remotely through their internet-facing components. This allowed the attackers to remotely take control of transmission, steering and brakes through the vehicle's satellite navigation system- a watershed moment. Yet the real challenge for Chrysler came later. A patch was developed and ready when the fault was originally revealed, but the vehicles lacked the necessary hardware to receive remotely and install the update. The result? A mass call for 1.4million vehicle owners to visit their local dealership or to install redemptive software through USB sticks. This was a massive blow to Chrysler's reputation.

This offensive/defensive disparity (the ability to attack remotely, but not defend) is emblematic of the issues facing corporate real estate.

Opportunities for hackers

The IoT provides millions of embedded entry points for hackers. The more machines, devices and sensors that become integrated and interoperable, the more they are open to hacking.

Importantly, IoT devices are not currently developed with security in mind. There is no accepted best practise to enforce even minimal security. The complete lack of basic security principles for IoT devices raises significant questions about the vulnerability of infrastructure and real estate.

Previously, it was hoped that being obscure was enough protection from hackers. Companies hoped that hackers would simply not know about their IoT devices. Unfortunately 'security by obscurity' is no longer sufficient. Tools, such as the SHODAN search engine, allow attackers to scour the globe for hacking opportunities. These tools alert hackers to internet-connected security cameras, HVAC (heating, ventilation and air conditioning) systems and building controls.

Many IoT device manufacturers do not include the ability to alter the default configuration settings of their products. This means that once one device's settings have been acquired, the rest of an office's devices can be hacked easily. Worryingly, these settings are freely available through operating manuals. Even when default settings can be configured, the sheer number of devices makes changing settings impractical since there is no convenient means to do so on a large scale.

What business must do

So, how can business respond?

Protection will need to be applied in depth and include people, process and practises to ensure some degree of holistic security assurance. To begin with, there needs to be an assessment of an office's IoT risks in an integrated way. This will inform the creation of an extensive system of defences that will be hard for hackers to penetrate.

Working with IT departments, businesses need to develop and rigorously enforce universal best practises for IoT devices. Networks must be secured. In effect, this means that a compromised heating system offers no route to other devices, such as crucial life safety systems, intellectual property, or even the crown jewels sof a company: its data.

IT can no longer be viewed as a silo. Information security measures, practises and culture must span across an enterprise and all of its employees - not just the IT department. People are a company's greatest strength but they are also the greatest security weakness. Culture, behaviour and a better understanding of threat can dramatically reduce a company's risk profile.

Most importantly, it is vital that staff understand best practise. As the people who will be regularly using and maintaining IoT devices, companies must ensure that their employees know how to operate securely in this brave new world.